AI Sec Watch: A Security Intelligence Platform for AI Systems

Luu, T.J.

CVE-2026-43319: In the Linux kernel, the following vulnerability has been resolved: spi: spidev: fix lock inversion between spi_lock an

infovulnerability

security

Source: NVD/CVE DatabaseMay 8, 2026CVE-2026-43319

Summary

The Linux kernel's spidev driver had a lock inversion bug where two mutexes (spi_lock and buf_lock, which are mechanisms that ensure only one part of code runs at a time) were acquired in different orders on different code paths, causing potential deadlocks where the program could freeze waiting for locks. This bug could be triggered by running write() and ioctl() calls simultaneously from different threads on the same device file.

Solution / Mitigation

The fix simplifies the locking model by removing buf_lock entirely and having spidev_sync() no longer perform any locking, with all callers instead serializing access using only spi_lock. This eliminates the lock inversion and prevents deadlocks without changing the user-facing API or behavior.

Vulnerability Details

EPSS (30-day exploit probability)

EPSS: 0.0%

Disclosure Date

May 8, 2026

Classification

Attack SophisticationModerate

Monthly digest — independent AI security research

Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-43319

First tracked: May 8, 2026 at 02:11 PM

Classified by LLM (prompt v3) · confidence: 95%